Re: [RFC] How to handle the rules engine for cgroups
From: Rik van Riel
Date: Thu Jul 10 2008 - 10:52:30 EST
On Thu, 10 Jul 2008 02:23:52 -0700
"Paul Menage" <menage@xxxxxxxxxx> wrote:
> I don't see the rule-based approach being all that useful for our needs.
Agreed, there really is no need for a rule-based approach in kernel space.
There are basically three different cases:
1) daemons get started up in their own process groups, this can
be handled by the initscripts
2) user sessions (ssh, etc) start in their own process groups,
this can be handled by PAM
3) users fork processes that should go into special process
groups - this could be handled by having a small ruleset
in userspace handle things, right before calling exec(),
it can even be hidden from the application by hooking into
the exec() call
If a user overrides the rules for their own processes, at worst
s/he takes away resources from him/herself. No security problem.
Is there any reason at all to push for a kernel side rule-based
engine, except "I want to make my patch set unmergeable?"
--
All Rights Reversed
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/